Cloudflare WAF Firewall rules for WordPress

On the Cloudflare free plan, Cloudflare grants five firewall rules. By adding WordPress-specific Cloudflare firewall rules, you can secure your site and block attacks before they even reach your server.

Zone-level Web Application Firewall (WAF) detects and mitigates malicious requests across all traffic under this zone.

I have updated the Cloudflare WAF firewall rules which I have used for many years and I improved and simplified them.

I also found out that cf.threat_score greater than 0 is equivalent to setting the Security Level in Security > Settings to High

You can add the 3 rules hereunder and copy and paste the expressions to the expression editor in Cloudflare > Security > WAF

expression editor

cf.threat_score gt 0 →  Managed Challenge

(cf.threat_score gt 0)

WordPress Login Protection → Managed Challenge

(http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/wp-admin/" and http.request.uri.path ne "/wp-admin/admin-ajax.php")

WordPress Content Protection → Block

(http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".php" and not http.referer contains "") or (http.request.uri.path contains "/wp-content/" and http.request.uri.path contains ".js" and not http.referer contains "")or (http.request.uri.path contains "/wp-includes/" and not http.referer contains "") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-config.php")

Replace the URL with the URL of the website. It will also work on subdomains because it contains the domain name.


Add additional protection to your WordPress website using the free firewall rules.

The WordPress Content Protections only block “.php” and “.js” files if the referrer is not coming from your domain. I discovered that some search engines are indexing images.

Disable XML-RPC and protect the wp-config.php file. Block direct access to files in the wp-content and wp-includes directories for an extra layer of security. Stop bots or bad traffic to the login page and wp-admin directory using a managed challenge.

Leave a Comment